Making DragonFly compatible with NSS/ldap

Francois Tigeot ftigeot at wolfpond.org
Sun Mar 23 02:51:45 PDT 2014 

Hi,

The Name Service Switch (NSS) mechanism is the industry standard way
to interact with user accounts stored into a ldap directory on Unix-like
systems.

Unfortunately DragonFly cannot use it, the reasons beeing:

- NSS works by loading dynamic libraries, and this cannot be done with
static binaries (fundamental dlopen(3) limitation)

- DragonFly /bin and /sbin binaries are static


In order to make DragonFly compatible with the NSS mechanism, we thus
need to use dynamic binaries for /bin and /sbin.


Some BSD based operating systems already moved from static to dynamic
binaries for these directories.

* NetBSD switched in 2002:
http://www.bsdnewsletter.com/2002/08/News34.html

* FreeBSD switched in 2003:
http://lists.freebsd.org/pipermail/freebsd-arch/2003-June/000644.html

Using dynamic binaries in /bin and /sbin is not so difficult; I have been
running a few machines with such a system for a while. NSS authentication
modules from dports work out of the box.

Unfortunately, there are some fears dynamic binaries are not as reliable
as static ones and that static binaries must be kept to recover from
future potential breakages.

FreeBSD and NetBSD use a /rescue directory on the root filesystem for this
purpose.


This rescue thing is the most problematic part, not because of some
technical challenges but due to general disagreement among developers.
Discussions in the IRC channel are going nowhere.

In doubt, I have created a minimal /rescue directory with some essential
binaries from /bin and /sbin linked statically, like NetBSD and FreeBSD
did more than 10 years ago.


The rescue and dynamic root features are in two separate git branches:

- http://gitweb.dragonflybsd.org/~ftigeot/dragonfly.git/shortlog/refs/heads/dfly_rescue

- http://gitweb.dragonflybsd.org/~ftigeot/dragonfly.git/shortlog/refs/heads/dfly_dynamic_root


My plan is to push the rescue part first and then the dynamic root one a
while later. Ideally we would have dynamic binaries for the 3.8 release.

I should probably trim /rescue a bit first though; I initially started to
add static versions of all /bin and /sbin binaries to it and this is a bit
overkill for a minimal repair system.
Its current size is 38MB on amd64 hosts.

-- 
Francois Tigeot

More information about the Users mailing list